SUMMARY
RBI believes that storing such credentials would put customers at risk of cybersecurity breaches
Even payment aggregators are barred from storing customer card credentials within their servers assessed by the merchant
Merchants noted that such a move will disrupt the digital payments ecosystem and make
subscription services inconvenient for the customers
The Reserve Bank of India (RBI) has reportedly rejected the request of top merchants — Amazon, Microsoft, Netflix, Flipkart and Zomato — to store customers credit card details as the move would put customers at the risk of cybersecurity breaches.
The central bank has forbidden the merchants to store credit card credentials “and related data” on their servers under the new payment aggregators and payment gateway (PA-PG) norms that come into effect from 2021. The guidelines also bar payment aggregators from storing customer card credentials within their database or the servers assessed by the merchants. The new guidelines will treat all payment aggregators as regulated entities under the Payment and Settlement Systems Act (2007) under the central bank’s direct supervision.
However, industry experts believe that such a move will disrupt the digital payments ecosystem and make subscription services inconvenient for the customers.
RBI has decided to not allow merchants to store such financial data as they would anyway not be answerable in case of any security breaches since the norm pertains to payment aggregators and gateways. According to an ET report citing sources, these merchants had sought a meeting with the RBI, claiming that they haven’t been adequately represented but the central bank shot down their demand.
The merchants wrote to the RBI on February 1, arguing that the new guidelines will disrupt a system that has been functioning seamlessly. The merchants also represented their banks, payment aggregators and network operators like Visa and MasterCard. It is important to note that these level 1 merchants collectively transact with more than 250 Mn users in India.
“The most significant unintended consequence of this restriction on storage of customer cards and related data is that it makes the payments ecosystem systemically fragile. Owing to this restriction, merchants and PAs will be constrained to call the API of a bank for authentication every time a customer executes a transaction. Significant build- up of transactions at any issuing bank exposes the payments ecosystem to significant systemic failure risk,” Mandar Kagade, founder principal of Black Dot Public Policy Advisors told the publication.
